CVE Catalog

CVE-2026-52917

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile - higher than 3% of all known CVEs

Summary

In the Linux kernel, a vulnerability in the SCTP sock_diag mechanism allows the dump_one function to process stale associations. After blocking on lock_sock() and sctp_association_free() completes, the association is marked dead and its bind address list is freed, leading to an out-of-bounds memory read.

Risk Assessment

An attacker could exploit this vulnerability to read unrelated association memory, potentially leading to sensitive data leakage or system instability.

Recommendation

Immediately update the Linux kernel to a version containing the fix that rejects stale associations after acquiring the socket lock.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: sctp: diag: reject stale associations in dump_one path The SCTP exact sock_diag lookup can hold a transport reference, block on lock_sock(sk), and then resume after sctp_association_free() has marked the association dead and freed its bind address list. When that happens, inet_assoc_attr_size() and inet_diag_msg_sctpasoc_fill() can still dereference association state that is no longer valid for reporting. In particular, inet_diag_msg_sctpasoc_fill() may read an empty bind-address list as a real sctp_sockaddr_entry and trigger an out-of-bounds read from unrelated association memory. Reject the association after taking the socket lock if it has been reaped or detached from the endpoint, and report the lookup as stale. This keeps the exact dump-one path from formatting torn association state.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS